Tuesday, 10. December 2002
eBook Programmer trial may rest
Wired is reporting that ElcomSoft is unlikely to be charged with offences related to the DMCA citing a former Adobe piracy investigator who suggests that it is unreasonable to expect a foreign business to comply with U.S. law.
If the first criminal case involving this bill fails to hold foreign infringers accountable, then developers around the world may be encouraged to continue research into security techniques like encryption.
The DMCA provisions prohibiting research, development and publication of tools for distributing and displaying copyrighted material need to be re-evaluated by governments around the globe.
The trial continues in a San Jose district court. [infoAnarchy]
Feds declare open wifi hotspots a terrorist tool
WiredNews has article describing the Homeland Security Department's dislike of wifi. My favorite quote from the article: Homeland Security is putting people in place who will be in a position to say, 'If you're going to get broken into ... we're going to start regulating,'" said Cable and Wireless security architect Shannon Myers This has some rather chilling implications for proponents of free community wireless networks. [infoAnarchy]
Trouble With Trojans
A security crisis is starting to emerge in the world of computing. The year 2002 will prove to be the worst year yet for malicious hacking. The following year will probably be worse. [Help Net Security]
Charges filed in alleged eBay scam
A Los Angeles man was charged on Wednesday with defrauding eBay buyers on six continents in what prosecutors called one of the largest Internet auctions scams uncovered.
Chris Chong Kim, 27, was charged with four counts of grand theft and 26 counts of holding a mock auction for allegedly failing to deliver the high-end computers and computer parts he sold on his eBay business site, Calvin Auctions.
Kim was arrested on Tuesday and was jailed in lieu of $400,000 bail. If convicted on all counts, he faces up to 24 years in prison.
The criminal complaint against Kim listed losses of $453,000 to 26 U.S. customers, eBay Inc. and Bank of America Corp. [Help Net Security]
LOS ANGELES, California (Reuters) -- A Los Angeles man was charged on Wednesday with defrauding eBay buyers on six continents in what prosecutors called one of the largest Internet auctions scams uncovered.
Chris Chong Kim, 27, was charged with four counts of grand theft and 26 counts of holding a mock auction for allegedly failing to deliver the high-end computers and computer parts he sold on his eBay business site, Calvin Auctions.
Kim was arrested on Tuesday and was jailed in lieu of $400,000 bail. If convicted on all counts, he faces up to 24 years in prison.
Complaints came from around the world
The criminal complaint against Kim listed losses of $453,000 to 26 U.S. customers, eBay Inc. and Bank of America Corp.
Los Angeles County prosecutors said Kim had been selling computers, laptops and other equipment for two years through Calvin Auctions. In April, he allegedly stopped shipping products but continued to sell on eBay until his business was shut down two months later.
The online auction house received more than 170 complaints from customers around the world. Their losses ranged from $1,900 to $6,000 each, prosecutors said.
Customers' Orders Exposed on Victoria's Secret Site
Tower Records site exposes data
A security hole on Tower Records' Web site exposed data on millions of U.S. and U.K. customers until it was closed late Wednesday. [Help Net Security]
Cyber Hype
Cyberterrorism is giving governments an opportunity to curb civil liberties, but is it really a lethal weapon? Mike Butcher reports
Thursday December 5, 2002 The Guardian
Just hours after a surface to air missile passed within metres of an Israeli airliner in Kenya last week, media websites began humming. Internet chatrooms set up by Islamic sympathisers had been buzzing with rumours of an attack barely a week before. It was just one in a long line of hysterical media reports alluding to the way the internet has been co-opted by "cyberterrorists" for their evil ends.
Since September 11, for which much of the planning happened over email, cyber-terrorism - loosely defined as using computers to intimidate others to further political or social objectives - has become a useful buzzword. Governments have used it to justify ramping up internet monitoring and - some argue - a corresponding crackdown on civil liberties online.
The official fear is that religious or political zealots could, for instance, hack into a hospital computer system to change a ward's dosage of medicine; or switch off a city's power supply; or change the operations at a sewage treatment works to poison the water.
In November last year, the European Union member states signed the Convention on Cybercrime. It was the first international treaty on crimes committed via the internet and other computer networks, dealing with infringements of copyright, computer-related fraud, child pornography and violations of network security.
It also contained a series of powers, such as the search of networks and "legitimate interception" of communications traffic. Europe is not the only one to resort to these methods. Last Thursday, President Bush signed legislation creating the new Homeland Security Department, which will bring together 22 federal agencies to help stop nuclear, chemical and biological attacks, and, specifically, cyberterrorism.
Japan is so concerned about the possibilities of cyberattack that they have thrown a virtual fence around the country to check email and web traffic. But Hollywood-style hacker scenarios such as those outlined in the latest James Bond movie are far removed from reality. At least, that's according to the people who should know: the hackers themselves.
As hackers and security consultants gathered last week for Dublin's Hivercon conference, a newer and simpler argument was aired: that it is far easier to be a real-world terrorist than a virtual-world one.
Simple Nomad is a senior security analyst for BindView Corporation and a founder of the Nomad Mobile Research Centre, an internationally known group of hackers. He is concerned about how governments are using the cyberterrorist pretext to "sniff" personal email and web traffic.
"Cyberterrorism is a catchy phrase and seems to be a hot topic. I'm not saying that a hack could never lead to someone's death, but it's much easier for a terrorist to throw a knapsack of poison into a reservoir than to do something remotely with a computer," he says. "If I knew George Bush was going into hospital and would be on a life support system, conceivably I could interrupt the power grid or hit the back-up batteries in the middle of his operation. But most of these systems already have a lot of safeguards, mainly just to prevent simple accidents."
Nomad argues that the biggest hackers, in fact, are governments themselves. "There are at least 10 governments out there - like the US, the British, the Germans, the Chinese - with very sophisticated teams. In the name of cyberterrorism, there is more funding than ever going into the listening and data sniffing capability of governments."
It is this capability that is often being used by countries to gain commercial advantage over other countries, not prevent terrorism, claims Nomad. He says one of the biggest "sniffers" is the international Echelon project, set up by western governments to sniff the net, telephones, and almost everything digital to provide intelligence for the security services.
Most of Echelon is large scale, to do with all telecommunications - which is why, he says, national governments have had to introduce such legislation as the UK's Regulation of Investigatory Powers Act to be able to monitor pure ISP internet traffic.
So can hackers really gain access to sensitive data? "Most of the big stuff, like military systems, can't be accessed anyway. There are air-gaps - things not connected to the outside internet," says Nomad. He is dismissive of the recent case where Gary McKinnon, a 36-year-old former systems administrator from London, allegedly deleted files on a server used by a US navy command centre between April and September of last year. Nomad believes this is a rare case and that the files could not have been sensitive if they were accessible via the net.
Tom Reeve, editor of Security Voice magazine, agrees: "From a global perspective, I am far less concerned about cyberterrorism and hacking than acts of terrorism in the physical world. With bombs going off around the world and everyone wondering when al-Qaida will strike next, who cares if a web server gets hacked?"
He admits he would be as annoyed as anyone if his web site was hacked or defaced: "But you couldn't justify diverting large amounts of resources from anti-terrorism in the physical world to protect my assets in the virtual world."
That's the argument of Hivercon speaker Richard Thieme, a consultant who is also contributing editor for Information Security Magazine and a regular speaker at the Black Hat Briefings and DefCon, the well-known hacker conferences. Thieme says some of these cases are legitimate causes for concern, but that usually, cyberterrorism is a sideline affair.
"It's a lot easier to blow up a pipeline in the middle of nowhere than it is to hack your way in over a computer terminal," he says. "A single car bomb in the right place in Wall Street, in conjunction with the events of 9/11, would have taken out the US financial system. Not a hack."
Such "force multipliers" can make a terrorist attack a great deal worse. "Using hackers in conjunction with real world events would have more impact, but just bringing down a web server does not," he says. Cyberterrorising is more often than not directed at opposing groups, rather than governments.
In the Israeli-Palestinian battle, criminal hackers, or "crackers", on both sides are constantly attacking one another's web sites. A Pakistani cracker once stole the credit card numbers of members of a pro-Israel lobbying group and posted them online.
Indeed, it is the Middle East and the Indian sub-continent, not western Europe, that have often been at the forefront of official attempts to block techno-terrorists.
Last week, Indian mobile phone companies were facing the prospect of a government plan to tap into SMS (short messaging service) mobile mail services to combat malicious hackers. And last year, the Yaha virus emerged to launch a rudimentary denial of service attack on the Pakistan government's website. But since then, computer hackers have reverted to type - going for corporate systems in the main.
According to Synstar, an information security company, 1,057 corporate organisations were hacked in September - a five-fold increase over the previous year's 225 attacks.
Thieme is one of the first to admit that the internet - the ultimate "network technology" - helped create the events of September 11. Although America's intelligence communities were well aware of the threat posed by small bands of fundamentalists before 9/11, "it brought home to them that the way power is distributed has been changed by network technology", says Thieme.
In fact, in common with Simple Nomad, he points out that the US itself is capable of the biggest acts of cyberterrorism. "The US has enough electronic warfare capabilities in its own right. High power microwaves can knock out command and control centres. It's not necessary to just hack the enemy's network. We did this in Kosovo, and in Iraq."
"Ultimately, the idea of a cyber Pearl Harbor is pure hype. The surrender of some liberties in the name of security is about physical security and terrorism, not cyberterrorism, which is a less important subset. People are much more worried about dirty bombs and gas attacks."
Thieme argues that the true cyber threat does not come in the traditional form of the disaffected hacker located in a remote country, but the insider - the guy who already knows all the passwords and works inside the system.
"The next stage for technology is true globalisation. We'll see a single kind of flexible interface develop which unites all societies. So the biggest threat to society is an insider who uses our own technology like an insider - just as happened on 9/11."
In the final analysis, however, hackers saying they are not going to get involved in cyberterrorism is not going to be enough to call off the dogs and halt the data clampdown, even if some of the most sensitive systems are not directly connected to the internet.
Jason Hart, head of secu rity with consultants says: "As far as we know, no one has died as a result of the work of a hacker, but we'll never know the true answer because of the nature of hacking.
'Good' hackers don't leave any trace of their incursion into a system. So, for instance, someone could hack into an airline system to change the weight allowance on an airliner's payload, causing the plane to crash on take-off or landing.
"Everyone is aware of the physical threat to, say a reservoir, but at the end of the day, that threat has to be checked using computer systems, which are vulnerable," says Hart. He points to evidence that drug cartels have employed hackers to do such things as fooling banking systems to take a pound every month from 20,000 individual credit card accounts.
"You can hide the fact that a pound goes missing and use that money to fund more hacking. Terrorists could use this model to fund their own activities. "The biggest threat is ignorance - people believing it will not happen to them."
[LinuxSecurity.com]
Schneier: Homeland Security Needs Cops
John Young writes "In the September Atlantic Monthly Bruce Schneier explains yet again why cryptography is not the solution to security; what's needed are private cyber cops like his:
http://www.theatlantic.com/issues/2002/09/mann.htm
Amazing how Bruce's philosopy matches that of those he once combated in the "crypto wars." He recants crypto security to remind that there is never to be found lasting security, as with the TLAs worldwide, except by well-paid vigilance of those who know best how to protect us. He may be right, or he may smell Starbucks.
Quote:
When I asked Schneier why Counterpane had such Darth Vaderish command centers, he laughed and said it helped to reassure potential clients that the company had mastered the technology. I asked if clients ever inquired how Counterpane trains the guards and analysts in the command centers. "Not often," he said, although that training is in fact the center of the whole system. Mixing long stretches of inactivity with short bursts of frenzy, the work rhythm of the Counterpane guards would have been familiar to police officers and firefighters everywhere. As I watched the guards, they were slurping soft drinks, listening to techno-death metal, and waiting for something to go wrong. They were in a protected space, looking out at a dangerous world. Sentries around Neolithic campfires did the same thing. Nothing better has been discovered since. Thinking otherwise, in Schneier's view, is a really terrible idea.
Unquote
Heroes, by god, what we need are more poster boy heroes."
[Openflows Networks Ltd.: Analysis]
Feds turn up heat on high-tech industry links to al-Qaeda
Last night's raid of a Massachusetts-based software firm for possible links to al-Qaeda signals a shift in the FBI's focus on nongovernmental organizations and charities to corporate America, including the IT industry, experts close to the investigation said.
Bringing to a close one phase of an ongoing investigation code-named Operation Greenquest, the FBI raided the Quincy, Mass., offices of Ptech Inc. in an effort to search for evidence that the company was involved in helping to finance al-Qaeda operations. It is also investigating the possibility that software Ptech sold to various government agencies may have contained malicious code. [Computerworld]
Millionenstrafe für heimliche Filmer
Dieses Signal ist deutlich: Eine Gruppe von Porno-Händlern, die heimlich Aufnahmen von nackten Sportlern gemacht haben, wurde zu einer Geldstrafe von 506 Millionen Dollar verurteilt. [intern.de]
Russland - rechtsfreie Zone
Nach Einschätzung eines russischen Polizisten entwickelt sich sein Land zur Hochburg für den Handel mit Kinderpornographie. [intern.de]
Clever Anti-DMCA Argument by 321 Studios
PC World runs an interesting story on 321 Studios and their new software package, DVD X Copy, which permit users to copy DVD movies from DVD to a recordable DVD (New Tool Makes DVD Copying Easy). The article also talks about the ongoing DMCA-based lawsuit pre-emptively launched by 321 Studios against the MPAA and movie studios. [...]
What the article doesn't mention is the current status of the case, which is trying to survive the same legal question that torpedoed Ed Felten's case - whether a case or controversy exists. The movie studios claim that they have not threatened to sue 321 Studios and that, in any case, the legal issues raised by the case will be answered in the Elcomsoft case and thus do not need to be answered in the 321 lawsuit. The studios' case on this issue is fairly strong. I hope that 321 does it make it to the next stage of the lawsuit, but it is unclear whether that will happen. The next hearing in the 321 case will be held in January.
The article does have a particularly interesting quote, however:
What's more, [Robert Moore, president and founder of 321 Studios] says, DVD X Copy doesn't actually break the CSS on commercial DVDs.
Instead, 321 Studios intercepts the video and audio stream after a DVD player has decrypted the CSS code. Moore argues that all DVD players decrypt the CSS code when they play a protected DVD. Because it intercepts the signal after decryption but before the video is rendered, the product does not run afoul of the DMCA, he says.
This is actually a very interesting legal point. The anti-circumvention clause of the DMCA distinguishes between "access" control (17 USC 1201(a)) and control over other rights of the copyright holder (17 USC 1201(b)) (essentially, copy control). Unfortunately, the courts have failed to make this distinction, conflating access with use. After all, you have to "access" a work to use it, right? Thus, all technical protection devices become "access" control devices. This is not the meaning Congress intended and has the effect of making the DMCA even worse than it is. You see, it is legal to circumvent for purposes of making fair use if the device only protects other rights of the copyright holder (17 USC 1201(b)). It is illegal to circumvent an "access control device" for fair use purposes since, presumably, you don't have a right to access the work in the first place (17 USC 1201(a)). In both cases, it is illegal to distribute the tools to circumvent (even if using the tools is legal under 17 USC 1201(b)).
This claim by 321 Studios emphasizes the distinction between the two types of devices. After all, they couldn't capture the decrypted signal unless there was legitimate "access" to the signal in the first place. A clever and proper argument against the "access" control argument, I believe. However, if the claim is that 321 Studios does not violate 1201(b) as well, then it goes too far for a judge to accept (not that the more limited claim will be a difficult win as well). [via LawMeme via The Shifted Librarian]
Effective Learning and Teaching in Law
For comments on the new book, Effective Learning and Teaching in Law, read Lorna E. Gillies' review. [excited utterances]
disLEXia, a research project by Maximillian Dornseif
 |  |  | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
   |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |  |  | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||